| CVE-2026-4557 | code-projects Exam Form Submission update_s1.php cross site scripting | code-projects | Exam Form Submission | Medium | 4.3 | 2026-03-22 17:29:32 | Deep Dive |
| CVE-2026-4373 | JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field | jetmonsters | JetFormBuilder — Dynamic Blocks Form Builder | High | 7.5 | 2026-03-21 06:45:14 | Deep Dive |
| CVE-2024-13785 | Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution | reputeinfosystems | Contact Form, Survey, Quiz & Popup Form Builder – ARForms | Medium | 5.6 | 2026-03-21 03:26:54 | Deep Dive |
| CVE-2026-2440 | SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting | devsoftbaltic | SurveyJS: Drag & Drop Form Builder | High | 7.2 | 2026-03-21 03:26:31 | Deep Dive |
| CVE-2026-3584 | Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process | wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder | Critical | 9.8 | 2026-03-20 21:25:11 | Deep Dive |
| CVE-2026-32460 | WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.36 - Cross Site Scripting (XSS) vulnerability | Themefic | Ultimate Addons for Contact Form 7 | 中危 | - | 2026-03-13 11:42:23 | Deep Dive |
| CVE-2026-32446 | WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability | Syed Balkhi | Contact Form by WPForms | 中危 | - | 2026-03-13 11:42:21 | Deep Dive |
| CVE-2026-32433 | WordPress CP Contact Form with Paypal plugin <= 1.3.61 - SQL Injection vulnerability | codepeople | CP Contact Form with Paypal | 中危 | - | 2026-03-13 11:42:18 | Deep Dive |
| CVE-2026-32432 | WordPress WP Time Slots Booking Form plugin <= 1.2.42 - Broken Access Control vulnerability | codepeople | WP Time Slots Booking Form | 中危 | - | 2026-03-13 11:42:18 | Deep Dive |
| CVE-2026-32332 | WordPress Easy Form plugin <= 2.7.9 - Broken Access Control vulnerability | Ays Pro | Easy Form | 中危 | - | 2026-03-13 11:41:56 | Deep Dive |
| CVE-2026-3986 | Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings | codepeople | Calculated Fields Form | Medium | 6.4 | 2026-03-13 08:25:18 | Deep Dive |
| CVE-2026-2888 | Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | Medium | 5.3 | 2026-03-13 08:25:17 | Deep Dive |
| CVE-2026-2890 | Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse | strategy11team | Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | High | 7.5 | 2026-03-13 07:23:40 | Deep Dive |
| CVE-2026-1454 | Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting | themehunk | Lead Form Builder & Contact Form | High | 7.2 | 2026-03-11 08:24:46 | Deep Dive |
| CVE-2026-2707 | weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API | boldgrid | weForms – Easy Drag & Drop Contact Form Builder For WordPress | Medium | 6.4 | 2026-03-11 05:27:18 | Deep Dive |
| CVE-2026-3453 | ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration | properfraction | Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | High | 8.1 | 2026-03-11 02:22:46 | Deep Dive |
| CVE-2026-2420 | LotekMedia Popup Form <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings | lotekmedia | LotekMedia Popup Form | Medium | 4.4 | 2026-03-07 07:22:03 | Deep Dive |
| CVE-2026-3459 | Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5 - Unauthenticated Arbitrary File Upload | glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 | High | 8.1 | 2026-03-05 18:25:46 | Deep Dive |
| CVE-2026-2599 | Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv' | crmperks | Database for Contact Form 7, WPforms, Elementor forms | Critical | 9.8 | 2026-03-05 12:26:06 | Deep Dive |
| CVE-2026-1674 | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema() | saadiqbal | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder | Medium | 6.5 | 2026-03-04 11:22:31 | Deep Dive |